XSS in editing wiki page title

RESOLVED FIXED

Status

support.mozilla.org
General
RESOLVED FIXED
8 years ago
2 years ago

People

(Reporter: jbalogh, Unassigned)

Tracking

({wsec-xss})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [infrasec:xss])

(Reporter)

Description

8 years ago
https://support.mozilla.com/en-US/kb/<article>/edit

Put <script>alert('come on')</script> into the title and go to /edit.

The code in edit_document.html:

    <h1>{{ _('<em>Editing</em> {title}')|f(title=document.title)|safe }}</h1>
Using |fe should solve that.
(Reporter)

Comment 2

7 years ago
Fixed?
Looks fixed to me.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.